quarta-feira, 20 de julho de 2016

RESOURCE: Security is a Process

Security is a process: It is not just a tool to produce you reports on potential holes (when probably you don't have the time or the skilled persons to browse through the detailed report it generates).

And this is what happens when you don't have the process in place. You will get to the cover page in the news (for the bad reasons):
https://www.publico.pt/portugal/jornal/auditoria-detectou-21-falhas-de-seguranca-no-sistema-informatico-dos-tribunais-21474798



Excellent initiatives at this level (security) are government initiatives like these ones:
Tools: (INTERNAL):
  1. At the "SW and Security Product Assurance technical area" a list of recommended tools can be found and some are security-related: https://delivery.critical.pt/TechAreas/sspa/SitePages/Web%20Application%20Security%20Testing.aspx (accessible from https://delivery.critical.pt/TechAreas/sspa/SitePages/Tools.aspx)
  2. Security Testing Tool Example: IBM AppScan: Used to perform automated web application security tests (dynamic). IBM Security AppScan Standard helps decrease the likelihood of web application attacks and costly data breaches by automating application security vulnerability testing. IBM Security AppScan Standard can be used to reduce risk by permitting you to test applications prior to deployment and for ongoing risk assessment in production environments. 
Remember: Your information system is as strong as its weakest link. For instance: If you don't patch your system components that you rely upon (e.g. your RDBMS, Application Servers, File Servers, Web Servers, target Operating Systems) who do you think your customer will turn to when a security flaw turns up?

History: 2017-11-30, updated with SSPA internal resources (and IBM Appscan tool).